Mobile devices such as mobile phones are taking on a broader role in facilitating the conducting and managing of financial affairs in what may be termed “mobile banking”. A mobile banking system may allow users of the system to conduct financial transactions through, for example, a mobile phone. However, security limitations of mobile phones and mobile communication networks have, in some cases, posed a stumbling block that hinders the wide adoption and growth of mobile banking.
For instance, it is common for mobile phones to provide data encryption using only software. Such a device may comply with only a security level 1 of the Federal Information Processing Standard 140-2 (FIPS 140-2), which provides only a minimum level of security to protect sensitive information and may lack the capability to securely send end-to-end encrypted communication.
As a result, sensitive information, such as a Personal Identification Numbers (PINs) and Primary Account Numbers (PANs) should not be stored on mobile phones of a mobile banking system. This may pose limitations in authenticating financial transaction authorization requests, and may further mean that sensitive information, e.g. a PIN, is sent from the mobile phone over the communication network to backend systems in order to authenticate the request. This creates a vulnerability in which such sensitive information can be intercepted by malicious parties and be used for fraudulent purposes.